[Snort-users] writing rule with uricontent keyword

Matt Kettler mkettler at ...4108...
Mon Feb 28 12:01:31 EST 2005


At 02:39 PM 2/28/2005, Jiju Menon wrote:
>I tried to get an alert with a test rule using uricontent:
>
>alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com";
>uricontent:"yahoo.com";nocase;)
>
>The rule seems not to detect a connection made to yahoo.com. Can
>anyone help me to get this rule working?

At casual glance, it looks OK...

As a sanity check, can you try a rule using "any any -> any 80" instead of 
HOME_NET and EXTERNAL_NET?

You also might need http_inspect enabled for the uricontent keyword to work. 





More information about the Snort-users mailing list